+ Reply to Thread
Page 1 of 4 123 ... LastLast
Results 1 to 15 of 54

Thread: BitTorrent Tracker Analysis : What.CD

  1. #1

    Join Date
    20.07.09
    Posts
    56
    Activity Longevity
    0/20 18/20
    Today Posts
    0/5 sssssss56

    Post BitTorrent Tracker Analysis : What.CD

    Project Gazelle is a php frontend for private bittorrent tracker, developed by What.CD sysops.
    Private tracker that use Gazelle : What.CD, Save The Coratee, TorrentIt, Vortex, Wunza, Filmdom, PTP, etc.
    The source code itself is available to public, google it for more info.

    After you read this article, I hope you gain knowledge about how staff member found cheater and avoid any future ban from What.CD

    Note from the developers :
    "some of our tools, such as cheater evasion, will not be included in the public version of the source, for obvious reasons."
    This is true. If you read the source code, it's clear that they remove any anti-cheating script from the public source code.
    But keep reading, you'll understand how they caught cheater so fast even if you make a little mistake.

    I'll divide the analysis into two sections :

    I. Gazelle Source Code
    II. Staff Account's Screenshot

    I. Gazelle Source Code

    PHP Code:
    // Check DNS blacklists to see if IP is a proxy or a tor node
    function blacklisted_ip($IP) {
        
    // http://en.wikipedia.org/wiki/Comparison_of_DNS_blacklists
        
    $DNSBLs = array('http.dnsbl.sorbs.net''misc.dnsbl.sorbs.net''socks.dnsbl.sorbs.net''ohps.dnsbl.net.au''tor.dan.me.uk');

        
    // Reverse IP, so 127.0.0.1 becomes 1.0.0.127
        
    $IP implode('.'array_reverse(explode('.'$IP)));

        foreach(
    $DNSBLs as $DNSBL) {
            
    $TestHost $IP.'.'.$DNSBL;
            
    $ResolvedHost gethostbyname($TestHost);
            if(
    $ResolvedHost!=$TestHost) {
                return 
    $DNSBL.' ('.$TestHost.' returned '.$ResolvedHost.')';
            }
        }
        return 
    false;

    This function checks if the user use proxy / tor to access the website by checking these lists :
    1. http.dnsbl.sorbs.net : Open HTTP proxy servers
    2. misc.dnsbl.sorbs.net : Additional proxy servers
    3. socks.dnsbl.sorbs.net : Open SOCKS proxy servers
    4. ohps.dnsbl.net.au : RIP as of April 29,2009
    5. tor.dan.me.uk : All tor nodes (both entry and exit nodes)
    You can use dnsbltools.com to check if your IP/proxy is in DNS blacklists or not.


    PHP Code:
        // Cookie management
        
    if ($_COOKIE['keeplogged']!='') {
            
    $LoginCookie=decrypt($_COOKIE['keeplogged']);
            
    $LoginCookie=explode("|~|",decrypt($LoginCookie));
            
    $CookieID $LoginCookie[2];
            if(
    $CookieID!=$LoggedUser['CookieID'] || !$CookieID) {
                
    // The user's cookie is different from the one we have stored in the database
                // They're either trying hax, or have logged in from multiple computers.
                // Both of these are a big no-no.
                
    logout();
            }
        } 
    This routine check if the cookie in your browser and database is different or not.


    PHP Code:
    CREATE TABLE `cheater_log` (
      `
    IDint(5NOT NULL auto_increment,
      `
    Clientvarchar(8) default NULL,
      `
    Userint(10) default NULL,
      `
    TorrentIDint(10) default NULL,
      `
    Testint(2) default NULL,
      `
    Timetimestamp NOT NULL default CURRENT_TIMESTAMP,
      `
    Peerstext,
      `
    GroupIDint(10) default NULL,
      
    PRIMARY KEY  (`ID`)
    ENGINE=InnoDB DEFAULT CHARSET=latin1
    Once they caught cheater, they store the data in this table.


    PHP Code:
    CREATE TABLE `users_history_emails` (
      `
    UserIDint(10NOT NULL,
      `
    OldEmailvarchar(255) default NULL,
      `
    NewEmailvarchar(255) default NULL,
      `
    ChangeTimedatetime default NULL,
      `
    ChangerIPvarchar(15) default NULL
    ENGINE=InnoDB DEFAULT CHARSET=latin1;

    CREATE TABLE `users_history_ips` (
      `
    UserIDint(10NOT NULL,
      `
    IPvarchar(15NOT NULL default '0.0.0.0',
      `
    StartTimedatetime NOT NULL default '0000-00-00 00:00:00',
      `
    EndTimedatetime default NULL,
      
    PRIMARY KEY  (`UserID`,`IP`,`StartTime`),
      
    KEY `UserID` (`UserID`),
      
    KEY `IP` (`IP`),
      
    KEY `StartTime` (`StartTime`),
      
    KEY `EndTime` (`EndTime`)
    ENGINE=InnoDB DEFAULT CHARSET=utf8;

    CREATE TABLE `users_history_passkeys` (
      `
    UserIDint(10NOT NULL,
      `
    OldPassKeyvarchar(32) default NULL,
      `
    NewPassKeyvarchar(32) default NULL,
      `
    ChangeTimedatetime default NULL,
      `
    ChangerIPvarchar(15) default NULL
    ENGINE=InnoDB DEFAULT CHARSET=latin1;

    CREATE TABLE `users_history_passwords` (
      `
    UserIDint(10NOT NULL,
      `
    ChangeTimedatetime default NULL,
      `
    ChangerIPvarchar(15) default NULL
    ENGINE=InnoDB DEFAULT CHARSET=latin1
    These changes are logged, with IP & timestamp.
    1. Email change
    2. IP change
    3. Passkey change
    4. Password change


    PHP Code:
        $DB->query("SELECT MAX(Sequence) FROM users_history_ratio");
        list(
    $Sequence) = $DB->next_record();
        
    $LastSequence $Sequence;
        
    $Sequence++;
        if(!
    $Sequence){
            
    $Sequence 1;
        }

        
    $DB->query("INSERT INTO users_history_ratio(Sequence, UserID, Uploaded, Downloaded, UpChange, DownChange, Time)
            SELECT '
    $Sequence', m.ID, m.Uploaded, m.Downloaded, (m.Uploaded - r.Uploaded), (m.Downloaded - r.Downloaded), '".sqltime()."'
            FROM users_main AS m
            LEFT JOIN users_history_ratio AS r ON r.UserID=m.ID AND r.Sequence='
    $LastSequence'"); 
    Every day and every hour, a script dump your ratio history to database.
    This is what the script log :
    - UserID
    - Uploaded
    - Downloaded
    - UpChange
    - DownChange
    - Time
    The log is stored separately, so at day 20 a staff can still see how much you upload / download at day 5.


    PHP Code:
        m_cheater              false;
        
    m_cheater_speed        26214400
    XBTT's abnormal upload speed detection, deactivated by default.
    If upload speed is greater than 25 MB/s, consider that user is cheating.


    PHP Code:
    // F****** btjunkie piece of s***
    if(strpos($_SERVER['HTTP_REFERER'], 'btjunkie.org')) {
            
    // This code is executed if someone is downloading a torrent from btjunkie
            // Do what you want here, be creative. ;)

    Yeah, they hate btjunkie. Don't try to download What.CD's torrent from btjunkie.


    PHP Code:
    log_attempt($UserID);
    if (
    $Enabled=='2') {
            
    $Err='Your account has been disabled.<br />This is either due to inactivity or rule violation.';
    } elseif (
    $Enabled=='0') {
            
    $Err="Your account has not been confirmed.<br />Please check your email.";
    } else {
            
    $Err="Your username or password was incorrect.";

    If you're unable to log in, there're 3 reasons given :
    - Your account has been disabled. This is either due to inactivity or rule violation.
    - Your account has not been confirmed.
    - Your username or password was incorrect.
    You won't see the ban reason, although moderators usually put the reason in the Staff Notes.


    PHP Code:
    `BanReasonenum('0','1','2','3','4'NOT NULL default '0',

    // Disabled manually by moderators / admins
    BanReason=1

    // If a user hasn't been taken off ratio watch in the two weeks since he was put on, banhammer
    BanReason=2
    AdminComment
    =Disabled by ratio watch system

    // If a user has downloaded more than 10 gigs while on ratio watch, banhammer
    BanReason=3
    AdminComment
    =Disabled by ratio watch system for downloading more than 10 gigs on ratio watch

    // Disable inactive user accounts
    BanReason=3
    AdminComment
    =Disabled for inactivity

    // Disable unconfirmed users
    BanReason=3
    AdminComment
    =Disabled for inactivity (never logged in
    There're 4 different kind of ban reason.
    I haven't seen the 4th reason in the source code, maybe it's either "reserved" or "disabled automatically for cheating";


    PHP Code:
    $DB->query("UPDATE users_info AS ui JOIN users_main AS um ON um.ID=ui.UserID
            SET um.Enabled='2',
            ui.BanDate='"
    .sqltime()."',
            ui.BanReason='3',
            ui.AdminComment=CONCAT('"
    .sqltime()." - Disabled for inactivity', ui.AdminComment)
            WHERE um.PermissionID IN ('"
    .USER."', '".MEMBER    ."')
            AND um.LastAccess<'"
    .time_minus(60*60*24*7*10)."'
            AND um.LastAccess!='0000-00-00 00:00:00'
            AND ui.Donor='0'
            AND um.Enabled!='2'"
    ); 
    Users will be disabled for inactivity if they don't login for 10 weeks (70 days).


    PHP Code:
    $DB->query("UPDATE users_info AS ui JOIN users_main AS um ON um.ID=ui.UserID
            SET um.Enabled='2',
            ui.BanDate='"
    .sqltime()."',
            ui.BanReason='3',
            ui.AdminComment=CONCAT('"
    .sqltime()." - Disabled for inactivity (never logged in)', ui.AdminComment)
            WHERE um.LastAccess='0000-00-00 00:00:00'
            AND ui.JoinDate<'"
    .time_minus(60*60*24*7)."'
            AND um.Enabled!='2'
            "
    ); 
    Unconfirmed users will be disabled after 1 week (7 days)



    II. Staff Account's Screenshot

    Maybe you have seen lots of What.CD tracker screenshots, with user / power user permission.
    It's time to see what staff account screenshots looks like.
    Since we'll deal with staff more often than admin account, let's focus on staff account :

    1. Staff Account's Toolbox


    2a. User's Permission


    2b. Power User's Permission


    2c. Staff's Permission


    3. IP Bans
    Note : There's no expires date


    4. Login Watch


    5. Invite Pool


    6. User Search


    7. Active Reports


    8. Duplicate IPs


    9. User's Profile
    Unlike regular user, staff have access to specific feature when they access your profile.


    10. Watched users
    Usually, staff have to click "Add to watchlist" to make a user account go into "Watch List".
    But, I'm sure the system will add any account to "Watch List" automatically if the account meet specific suspicious condition.


    Final Note :
    Gazelle is open source, so developer can easily modify it to add more feature, like new feature in toolbox or anti-cheating script.
    What you see here may be obsolete in a few month later.
    Reply With QuoteReply With Quote
    Thanks

  2. Who Said Thanks:

    DUPE (11.08.16) , Lucius (25.07.14) , Damnsel (02.01.13) , illusive (12.09.11) , Dr.house (11.05.11) , Uninvited2611 (05.08.10) , Vuze-Sbi (05.08.10) , (24.03.10) , Vation (07.02.10) , abookhalil (22.12.09) , pimphead07 (22.12.09) , Instab (22.12.09) , GotIt (15.12.09) , saebrtooth (13.11.09) , MiCRON (11.10.09) , thecoolest (03.09.09) , Dark Knight (03.08.09) , Haggar (31.07.09) , Kyllyee (31.07.09) , Mihai (31.07.09) , alpacino (31.07.09) , anonftw (31.07.09) , hitman (30.07.09) , ghostfucker (30.07.09) , SBfreak (30.07.09) , naughtydog (30.07.09) , cheatos (30.07.09) , IceBox (30.07.09) , Großmutter (30.07.09) , shoulder (30.07.09) , anon (30.07.09)

  3. #2
    Moderator anon's Avatar
    Join Date
    01.02.08
    Posts
    39,386
    Activity Longevity
    11/20 19/20
    Today Posts
    5/5 ssss39386
    Approved! Great work! Thanks for making the information accesible to everyone, specially the source code explanations. We can learn a lot from your post.

    Will there be other "tracker analysis" threads from you?
    "I just remembered something that happened a long time ago."
    Reply With QuoteReply With Quote
    Thanks

  4. #3
    great work ,
    thanks for the info,

    hoping for IPT analyzing
    Last edited by cheatos; 30.07.09 at 21:58.


    I am cheatos

    Reply With QuoteReply With Quote
    Thanks

  5. #4

    Join Date
    20.07.09
    Posts
    56
    Activity Longevity
    0/20 18/20
    Today Posts
    0/5 sssssss56
    Will there be other "tracker analysis" threads from you?
    Yeah, I think I'll cover another tracker in my next analysis thread. Stay tuned
    Meanwhile, feel free to ask anything about What.CD
    Reply With QuoteReply With Quote
    Thanks

  6. Who Said Thanks:

    anon (30.07.09)

  7. #5

    Join Date
    15.06.09
    Location
    Naughty Land
    P2P Client
    Bitcomet & Utorrent
    Posts
    246
    Activity Longevity
    0/20 18/20
    Today Posts
    0/5 ssssss246
    Great work. Very well explained too, yes IPT should be next...
    Reply With QuoteReply With Quote
    Thanks

  8. #6
    Well I feel like a nubzor again but thank you for your effort.
    +rep to you my friend.
    Reply With QuoteReply With Quote
    Thanks

  9. #7

    Join Date
    21.07.08
    Location
    pakistan
    Posts
    41
    Activity Longevity
    0/20 19/20
    Today Posts
    0/5 sssssss41
    Great work and Very very experienced too.
    Reply With QuoteReply With Quote
    Thanks

  10. #8
    Advanced User alpacino's Avatar
    Join Date
    19.03.09
    Location
    locked in Alchemilla Hospital
    P2P Client
    none, just the toolz
    Posts
    2,059
    Activity Longevity
    5/20 18/20
    Today Posts
    1/5 sssss2059
    Thanks for the detailed info, although I don't understand too much (been rusty on source codes for sometime now), I'm sure it will be very useful for coders and future tracker designers.
    it's hip to be square
    Reply With QuoteReply With Quote
    Thanks

  11. #9
    Advanced User Mihai's Avatar
    Join Date
    05.03.09
    Location
    If i tell you i must kill you
    P2P Client
    WaffleCheat v1.95 build 19928
    Posts
    1,509
    Activity Longevity
    0/20 18/20
    Today Posts
    0/5 sssss1509
    Interesting.But that thing about how much you uploaded and in how much time should make waffles method imposible to use.But it's not and i used it with high speeds too.
    What does a scene tracker tell to a general tracker?
    You're so 5 minutes ago...



    Reply With QuoteReply With Quote
    Thanks

  12. #10

    Join Date
    20.07.09
    Posts
    56
    Activity Longevity
    0/20 18/20
    Today Posts
    0/5 sssssss56
    Interesting.But that thing about how much you uploaded and in how much time should make waffles method imposible to use.But it's not and i used it with high speeds too.
    Right now, I can't found any read access to users_history_ratio or users_history_ratio_hourly table except at economic stats, where the staff see how much total upload / total download for their tracker.
    This means staff can't see your ratio history.

    I find stat_history.php but it doesn't have any code in it.
    Maybe the developers don't show it to public or the function isn't ready yet.
    It's better to be careful, though.

    Same thing with "Rejoins Watch" on staff toolbox, it's missing.
    Reply With QuoteReply With Quote
    Thanks

  13. #11
    Moderator anon's Avatar
    Join Date
    01.02.08
    Posts
    39,386
    Activity Longevity
    11/20 19/20
    Today Posts
    5/5 ssss39386
    Slow and steady is the way to go...

    Zorvak, no pressure man, but is it possible for you to analyze the SoftMP3 source code for your next thread? SceneSound and CareStreet are using it.
    "I just remembered something that happened a long time ago."
    Reply With QuoteReply With Quote
    Thanks

  14. #12

    Join Date
    08.04.09
    Location
    from heaven
    P2P Client
    utorrent
    Posts
    1,308
    Activity Longevity
    0/20 18/20
    Today Posts
    0/5 sssss1308
    Great work
    +1 from me..
    May be it's useful to some member..
    Reply With QuoteReply With Quote
    Thanks

  15. #13

    Join Date
    20.07.09
    Posts
    56
    Activity Longevity
    0/20 18/20
    Today Posts
    0/5 sssssss56
    Great work. Very well explained too, yes IPT should be next...
    Unfortunately, IPT source code isn't released to public.

    Zorvak, no pressure man, but is it possible for you to analyze the SoftMP3 source code for your next thread? SceneSound and CareStreet are using it.
    Don't worry, SoftMP3 is one of the tracker on my analyzing list.
    According to the source code, 4 MB/s is the limit, otherwise you'll enter the cheat database.
    But, I'll have to look at the other file to check another anti-cheating script.

    I forgot to say this, but make sure you use tor + elite proxy chain if you want to get Gazelle source code directly from What.CD's SVN.
    Maybe they will closely monitor who download the source code from their server now.
    Last edited by Zorvak; 01.08.09 at 21:27.
    Reply With QuoteReply With Quote
    Thanks

  16. Who Said Thanks:

    anon (31.07.09)

  17. #14

    Join Date
    15.06.09
    Posts
    153
    Activity Longevity
    0/20 18/20
    Today Posts
    0/5 ssssss153
    i have a question, i've been banned before. and i got another new acc which was registered using another country's IP; my own ip is dynamic, is that safe to login again with this acc? yeah of course the ip is different from the one i got banned, but they are belongs to a ip range
    Reply With QuoteReply With Quote
    Thanks

  18. #15
    Advanced User alpacino's Avatar
    Join Date
    19.03.09
    Location
    locked in Alchemilla Hospital
    P2P Client
    none, just the toolz
    Posts
    2,059
    Activity Longevity
    5/20 18/20
    Today Posts
    1/5 sssss2059
    This is the wrong section for asking but, anyway, if the account belongs to another country, then it's very likely it will be banned as soon as you log in using your country ip. If you have dynamic ip, you should've created the account in your own country, after cleaning all traces (cookies,etc) and renewing the ip, unless we are talking about a trade here.
    it's hip to be square
    Reply With QuoteReply With Quote
    Thanks

+ Reply to Thread
Page 1 of 4 123 ... LastLast

Tags for this Thread

Posting Permissions

  • You may post new threads
  • You may post replies
  • You may not post attachments
  • You may not edit your posts
  •